What is Ransomware Recovery?
A ransomware attack begins when a machine on a network becomes infected with malware. The malware infection is typically caused by a user opening an infected email attachment, clicking on a malicious link, or by falling victim to social engineering tactics. Once an endpoint has been infected, it spreads throughout the network, locking every file that it can access behind strong encryption that is controlled by the threat actor. The threat actor then demands a ransom from the victim in order to have the network’s data decrypted. The typical steps in a ransomware attack are:
- Infection. The threat actor gains entry to a single endpoint or network device, providing them with access to the entire network.
- Secure key exchange. Once installed, the ransomware communicates with the threat actor’s central command and control server, triggering the generation of cryptographic keys required to securely lock the system.
- Encryption. The ransomware initiates the encryption process, targeting files both locally and across the network, rendering them inaccessible without the decryption keys.
- Extortion. The ransomware then displays an explanation of the next steps, including the ransom amount, instructions for payment, and the consequences of noncompliance.
- Recovery. The victim may attempt to remove the infected files and systems while restoring them from a clean backup, or they may consider paying the ransom.
If you become the victim of a ransomware attack, you could take the following steps to manage the impact of the incident and recover from it.1:
- Remain calm. Ransomware attacks are stressful. Remain calm and carefully make decisions about how to proceed with ransomware recovery.
- Quarantine. Ransomware commonly tries to spread through the network to infect as many systems as possible. Disconnect infected systems from the rest of the network in order to attempt to prevent other data from being encrypted.
- Disconnect backups. Ransomware commonly targets backup systems because ransomware attackers recognize that organizations will try to recover from backups instead of paying the ransom. Do not connect any backups to the infected computer and monitor, and quarantine any backups that may be infected.
- Copy encrypted data. In the event that ransomware decryption fails, keeping a copy of the encrypted data may allow it to be recovered later.
- Keep infected systems online. Some ransomware variants can make infected systems unstable, with a reboot can leaving them in an unrecoverable state. Do not try to reboot systems or perform any update on infected systems while removing the ransomware.
- Cooperate and communicate. Reach out to law enforcement, regulators, and other stakeholders, and consider contacting a reputable incident response team. There are many organizations with specialized knowledge and additional resources to help with ransomware recovery.
- Identify the variant. The list of ransomware variants is constantly changing. If the ransom note does not name the author, consult with the No More Ransom Project for more information.
- Decide about paying ransom. This may be a difficult decision. Paying the ransom may allow for a faster and cheaper recovery, but paying provides no guarantee of recovery and provides the attackers with the resources needed to continue their activities.
- Review and take preventative actions. Identify the infection vector and close it to prevent future attackers from using the same techniques.
1 Check Point, 2023, “Ransomware Recovery: How to Recover from Ransomware”